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The notorious unit of Russia's GRU military intelligence agency 
known as Sandworm remains the only team of hackers to have 
ever triggered blackouts with their cyberattacks, turning off the 
lights for hundreds of thousands of Ukrainian civilians not once, 
but twice within the past decade. Now it appears that in the midst 
of Russia's full-scale war in Ukraine, the group has achieved 
another dubious distinction in the history of cyberwar: It targeted 
civilians with a blackout attack at the same time missile strikes hit 
their city, an unprecedented and brutal combination of digital and 
physical warfare. 


Cybersecurity firm Mandiant today revealed that Sandworm, a 
cybersecurity industry name for Unit 74455 of Russia's GRU spy 
agency, carried out a third successful power grid attack targeting a 
Ukrainian electric utility in October of last year, causing a blackout 
for an unknown number of Ukrainian civilians. In this case, unlike 
any previous hacker-induced blackouts, Mandiant says the 
cyberattack coincided with the start of a series of missile strikes 
targeting Ukrainian critical infrastructure across the country, which 
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included victims in the same city as the utility where Sandworm 
triggered its power outage. Two days after the blackout, the 
hackers also used a piece of data-destroying "wiper" malware to 
erase the contents of computers across the utility's network, 
perhaps in an attempt to destroy evidence that could be used to 
analyze their intrusion. 


Mandiant, which has worked closely with the Ukrainian 
government on digital defense and investigations of network 
breaches since the start of the Russian invasion in February of 
2022, declined to name the targeted electric utility or the city 
where it was located. Nor would it offer information like the length 
of the resulting power loss or the number of civilians affected. 


Mandiant does note in its report on the incident that as early as 
two weeks before the blackout, Sandworm's hackers appear to 
have already possessed all the access and capabilities necessary 
to hijack the industrial control system software that oversees the 
flow of power at the utility's electrical substations. Yet it appears to 
have waited to carry out the cyberattack until the day of Russia's 
missile strikes. While that timing may be coincidental, it more likely 
suggests coordinated cyber and physical attacks, perhaps 
designed to sow chaos ahead of those air strikes, complicate any 
defense against them, or add to their psychological effect on 
civilians. 


"The cyber incident exacerbates the impact of the physical attack," 
says John Hultquist, Mandiant's head of threat intelligence, who 
has tracked Sandworm for nearly a decade and named the group 
in 2014. "Without seeing their actual orders, it's really hard on our 
side to make a determination of whether or not that was on 
purpose. | will say that this was carried out by a military actor and 
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coincided with another military attack. If it was a coincidence, it 
was a terribly interesting coincidence." 


Nimbler, Stealthier Cybersaboteurs 


The Ukrainian government's cybersecurity agency, SSSCIP, 
declined to fully confirm Mandiant's findings in response to a 
request from WIRED, but it didn't dispute them. SSSCIP's deputy 
chair, Viktor Zhora, wrote in a statement that the agency 
responded to the breach last year, working with the victim to 
"minimize and localize the impact." In an investigation over the two 
days following the near-simultaneous blackout and missile strikes, 
he says, the agency confirmed that the hackers had found a 
"bridge" from the utility's IT network to its industrial control systems 
and planted malware there capable of manipulating the grid. 


Mandiant's more detailed breakdown of the intrusion shows how 
the GRU's grid hacking has evolved over time to become far more 
stealthy and nimble. In this latest blackout attack, the group used a 
"living off the land" approach that has become more common 
among state-sponsored hackers seeking to avoid detection. 
Instead of deploying their own custom malware, they exploited the 
legitimate tools already present on the network to spread from 
machine to machine before finally running an automated script that 
used their access to the facility's industrial control system 
software, known as MicroSCADA, to cause the blackout. 


In Sandworm's 2016 blackout that hit a transmission station north 
of the capital of Kyiv, by contrast, the hackers used a custom-built 
piece of malware known as Crash Override or Industroyer, capable 
of automatically sending commands over several protocols to open 
circuit-breakers. In another Sandworm power grid attack in 2022, 
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which the Ukrainian government has described as a failed attempt 
to trigger a blackout, the group used a newer version of that 
malware known as Industroyer2. 
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